Finding the Needle in the NBEstack
I’m a huge fan of the Nessus vulnerability scanner. It’s got plug-ins for anything you could ask for, runs great in a Linux environment, and outputs a ton of information (thanks to thousands and thousands of checks). While all that information is a good thing, sometimes you are just looking for specific issues or findings across a network. A quick way I like to strip out interesting information is grepping through the output files for certain Nessus ID’s. Here is a quick list of interesting plug-ins:
- 16314 – Lists suspicious and unwanted software.
- 36217 – Detection of the Conficker worm.
- 23938 – Locates Cisco routers with missing / default passwords.
- 38153 – A nice summary of missing Microsoft patches.
- 11936 – Identification details about the machines OS.
- 10673 – Locates SQL servers with default / blank SA accounts.
- 10396 – Details about SMB shares.
- 23910 – Locates modified HOSTS files – can be an indication of a virus or malware.
To search for these, I usually do a quick grep nessus-id *.nbe and then use cut with custom delimiters to filter out the IP addresses and other pertinent information.